terraform-analyzer

Specialized skill for analyzing Terraform configurations. Supports parsing, security scanning (tfsec, checkov), cost estimation (infracost), drift detection, and plan visualization across AWS, Azure, and GCP.

509 stars

bya5c-ai

View on GitHub Installation ↓

Best use case

terraform-analyzer is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using terraform-analyzer should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/terraform-analyzer/SKILL.md --create-dirs "https://raw.githubusercontent.com/a5c-ai/babysitter/main/library/specializations/software-architecture/skills/terraform-analyzer/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/terraform-analyzer/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How terraform-analyzer Compares

Feature / Agent	terraform-analyzer	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# terraform-analyzer

You are **terraform-analyzer** - a specialized skill for analyzing Terraform configurations and Infrastructure as Code. This skill enables AI-powered infrastructure analysis for security, cost, and compliance.

## Overview

This skill enables comprehensive Terraform analysis including:
- Parse and validate Terraform configurations
- Security scanning with tfsec, checkov, terrascan
- Cost estimation with infracost
- Drift detection between state and actual
- Plan visualization and change analysis
- Support for AWS, Azure, GCP providers

## Prerequisites

- Terraform CLI (v1.0+) installed
- Optional: tfsec, checkov, terrascan, infracost
- Provider credentials for plan/apply

## Capabilities

### 1. Terraform Configuration Parsing

Parse and analyze Terraform configurations:

```hcl
# Example configuration being analyzed
resource "aws_instance" "web" {
  ami           = var.ami_id
  instance_type = var.instance_type

  vpc_security_group_ids = [aws_security_group.web.id]
  subnet_id              = aws_subnet.private.id

  root_block_device {
    volume_size = 100
    volume_type = "gp3"
    encrypted   = true
  }

  tags = {
    Name        = "web-server"
    Environment = var.environment
  }
}

resource "aws_security_group" "web" {
  name        = "web-sg"
  description = "Security group for web servers"
  vpc_id      = aws_vpc.main.id

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  # Security finding: open to world
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
```

### 2. Security Scanning

#### tfsec Analysis

```bash
# Run tfsec security scan
tfsec . --format json --out tfsec-report.json

# Example findings
{
  "results": [
    {
      "rule_id": "aws-vpc-no-public-ingress-sgr",
      "severity": "CRITICAL",
      "description": "Security group rule allows ingress from public internet",
      "resource": "aws_security_group.web",
      "location": {
        "filename": "security.tf",
        "start_line": 15
      },
      "resolution": "Restrict ingress to specific CIDR blocks"
    }
  ]
}
```

#### Checkov Analysis

```bash
# Run Checkov security and compliance scan
checkov -d . --output json > checkov-report.json

# Example findings
{
  "passed": 45,
  "failed": 3,
  "skipped": 0,
  "results": {
    "failed_checks": [
      {
        "check_id": "CKV_AWS_23",
        "check_name": "Ensure every security groups rule has a description",
        "resource": "aws_security_group.web",
        "guideline": "https://docs.bridgecrew.io/docs/..."
      },
      {
        "check_id": "CKV_AWS_24",
        "check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22",
        "resource": "aws_security_group.web"
      }
    ]
  }
}
```

#### Terrascan Analysis

```bash
# Run Terrascan policy scan
terrascan scan -d . -o json > terrascan-report.json
```

### 3. Cost Estimation

Using Infracost for cost analysis:

```bash
# Generate cost breakdown
infracost breakdown --path . --format json > cost-report.json

# Example output
{
  "version": "0.2",
  "currency": "USD",
  "projects": [
    {
      "name": "production",
      "breakdown": {
        "resources": [
          {
            "name": "aws_instance.web",
            "monthlyQuantity": 730,
            "unit": "hours",
            "hourlyRate": "0.0416",
            "monthlyCost": "30.37"
          },
          {
            "name": "aws_ebs_volume.data",
            "monthlyQuantity": 100,
            "unit": "GB",
            "monthlyCost": "10.00"
          }
        ],
        "totalMonthlyCost": "540.37",
        "totalHourlyCost": "0.74"
      }
    }
  ],
  "totalMonthlyCost": "540.37"
}
```

### 4. Drift Detection

Detect configuration drift:

```bash
# Refresh and check for drift
terraform plan -refresh-only -json > drift-report.json

# Example drift detection
{
  "resource_drift": [
    {
      "resource": "aws_instance.web",
      "address": "aws_instance.web",
      "changes": {
        "before": {
          "instance_type": "t3.medium"
        },
        "after": {
          "instance_type": "t3.large"
        },
        "drift_reason": "Manual change via console"
      }
    }
  ],
  "summary": {
    "total_resources": 45,
    "drifted_resources": 1,
    "unchanged_resources": 44
  }
}
```

### 5. Plan Visualization

Analyze and visualize Terraform plans:

```bash
# Generate plan
terraform plan -out=tfplan
terraform show -json tfplan > plan.json

# Plan analysis output
{
  "format_version": "1.0",
  "resource_changes": [
    {
      "address": "aws_instance.web",
      "mode": "managed",
      "type": "aws_instance",
      "name": "web",
      "change": {
        "actions": ["update"],
        "before": {
          "instance_type": "t3.small"
        },
        "after": {
          "instance_type": "t3.medium"
        }
      }
    }
  ],
  "summary": {
    "add": 2,
    "change": 1,
    "destroy": 0
  }
}
```

### 6. Module Analysis

Analyze Terraform module structure:

```javascript
// Module dependency analysis
{
  "modules": {
    "root": {
      "path": ".",
      "source": "local",
      "version": null,
      "dependencies": ["./modules/vpc", "./modules/compute"]
    },
    "vpc": {
      "path": "./modules/vpc",
      "source": "local",
      "resources": ["aws_vpc", "aws_subnet", "aws_route_table"]
    },
    "compute": {
      "path": "./modules/compute",
      "source": "local",
      "resources": ["aws_instance", "aws_autoscaling_group"],
      "depends_on": ["vpc"]
    }
  },
  "external_modules": [
    {
      "source": "terraform-aws-modules/vpc/aws",
      "version": "5.0.0",
      "registry": "registry.terraform.io"
    }
  ]
}
```

### 7. Compliance Checking

Check compliance with organizational policies:

```yaml
# Policy definition
policies:
  - name: require-encryption
    description: All storage must be encrypted
    resource_types: [aws_ebs_volume, aws_rds_instance, aws_s3_bucket]
    rules:
      - attribute: encrypted
        value: true
      - attribute: storage_encrypted
        value: true

  - name: require-tags
    description: All resources must have required tags
    rules:
      - attribute: tags
        contains: [Environment, Owner, CostCenter]

  - name: restrict-instance-types
    description: Only allow approved instance types
    resource_types: [aws_instance]
    rules:
      - attribute: instance_type
        allowed_values: [t3.micro, t3.small, t3.medium, t3.large]
```

## MCP Server Integration

This skill can leverage the following MCP servers:

| Server | Description | Installation |
|--------|-------------|--------------|
| Terraform MCP Server (HashiCorp) | Official Terraform Registry integration | [GitHub](https://github.com/hashicorp/terraform-mcp-server) |
| AWS Terraform MCP Server | Terraform with Checkov and AWS best practices | [AWS Labs](https://awslabs.github.io/mcp/) |

## Best Practices

### Security Scanning Workflow

```yaml
workflow:
  pre_commit:
    - terraform fmt -check
    - terraform validate
    - tfsec --minimum-severity HIGH

  ci_pipeline:
    - terraform init
    - terraform validate
    - tfsec --format sarif
    - checkov -d . --output sarif
    - infracost breakdown --path .

  pre_deploy:
    - terraform plan -out=tfplan
    - infracost diff --path tfplan
    - manual_review_required: true
```

### Recommended Thresholds

```yaml
security_thresholds:
  tfsec:
    max_critical: 0
    max_high: 0
    max_medium: 5
  checkov:
    min_passed_percentage: 90
  infracost:
    max_monthly_increase_percentage: 20
    require_approval_above: 1000  # USD
```

## Process Integration

This skill integrates with the following processes:
- `iac-review.js` - Primary IaC analysis workflow
- `cloud-architecture-design.js` - Architecture validation
- `devops-architecture-alignment.js` - DevOps integration

## Output Format

When analyzing configurations, provide structured output:

```json
{
  "operation": "analyze",
  "status": "completed",
  "configuration": {
    "path": "./infrastructure",
    "provider": "aws",
    "resources": 45,
    "modules": 5
  },
  "security": {
    "tool": "tfsec",
    "findings": {
      "critical": 0,
      "high": 2,
      "medium": 5,
      "low": 8
    },
    "passed": true,
    "threshold_exceeded": false
  },
  "compliance": {
    "tool": "checkov",
    "passed": 42,
    "failed": 3,
    "skipped": 0,
    "passed_percentage": 93.3
  },
  "cost": {
    "tool": "infracost",
    "monthly_estimate": "$540.37",
    "hourly_estimate": "$0.74",
    "change_from_baseline": "+$45.00"
  },
  "drift": {
    "detected": true,
    "resources_drifted": 1,
    "total_resources": 45
  },
  "artifacts": [
    "tfsec-report.json",
    "checkov-report.json",
    "cost-report.json"
  ],
  "recommendations": [
    {
      "priority": "high",
      "category": "security",
      "description": "Restrict security group ingress rules",
      "resource": "aws_security_group.web"
    }
  ]
}
```

## Error Handling

### Common Errors

| Error | Cause | Resolution |
|-------|-------|------------|
| `Provider not configured` | Missing credentials | Configure provider credentials |
| `Module not found` | Invalid source path | Check module source configuration |
| `State lock error` | Concurrent access | Wait or force unlock |
| `Validation failed` | Invalid HCL syntax | Fix syntax errors |

## Constraints

- Run security scans on every change
- Require cost estimation for production
- Block deployments with critical findings
- Document all policy exceptions
- Review drift reports regularly

Related Skills

db-query-analyzer

509

from a5c-ai/babysitter

Analyze database query performance with execution plans and index recommendations

code-complexity-analyzer

509

from a5c-ai/babysitter

Analyze code complexity metrics including cyclomatic complexity, code smells, and technical debt

cloudformation-analyzer

509

from a5c-ai/babysitter

Validate and analyze AWS CloudFormation templates for security and best practices

semantic-code-analyzer

509

from a5c-ai/babysitter

LLM-powered semantic analysis of code diffs to detect business-logic trojans

sast-analyzer

509

from a5c-ai/babysitter

Static Application Security Testing orchestration and analysis. Execute Semgrep, Bandit, ESLint security plugins, CodeQL, and other SAST tools. Parse, prioritize, and deduplicate findings across multiple tools with remediation guidance.

crypto-analyzer

509

from a5c-ai/babysitter

Cryptographic implementation analysis and validation for encryption algorithms, key sizes, and certificate management

semver-analyzer

509

from a5c-ai/babysitter

Analyze code changes and determine semantic version bumps. Detect breaking changes automatically, suggest version bump (major/minor/patch), generate changelog entries, and validate version consistency.

api-diff-analyzer

509

from a5c-ai/babysitter

Compare API specifications to detect breaking changes. Compare OpenAPI spec versions, categorize changes by severity, generate migration guides, and block breaking changes in CI.

process-analyzer

509

from a5c-ai/babysitter

Analyze processes, identify workflows, define boundaries and scope, and map process requirements for specialization creation.

scope-logic-analyzer

509

from a5c-ai/babysitter

Test equipment integration for signal analysis (oscilloscope and logic analyzer)

protocol-analyzer

509

from a5c-ai/babysitter

Serial protocol analysis and debugging for common embedded interfaces (I2C, SPI, UART)

time-series-analyzer

509

from a5c-ai/babysitter

Skill for time series analysis and forecasting